あなたの会社は、Active Directoryドメインがあります。
すべてのサーバーは、Windows Server 2008 R2を実行します。
あなたの会社はエンタープライズのルート証明機関(CA)を実行します。
あなたは、管理者のみがコードに署名できるようにする必要があります。
あなたはどの2つのタスクを実行する必要がありますか?
(それぞれの正しい答えは、ソリューションの一部を紹介します。2を選択してください。)
A.管理者のみが信頼された発行元を管理することを可能にするエンタープライズのルートCAのローカルコンピュータポリシーを編集します。
B.管理者だけは、コード署名証明書を要求できるようにするテンプレートのセキュリティ設定を変更します
C.ユーザーがピア証明書を信頼し、管理者だけがポリシーを適用できるようにすることを可能にするエンタープライズのルートCAのローカルコンピュータポリシーを編集します。
D.コード署名テンプレートを公開します。
正解:BD
B. Modify the security settings on the template to allow only administrators to request code signing certificates.
D. Publish the code signing template.
参考:
Generating and working with code signing certificates
A code signing certificate is a security measure designed to assist in the prevention of malicious code
execution. The intention is that code must be “signed” with a certificate that is trusted by the machine on
which the code is executed. The trust is verified by contacting the certification authority for the certificate,
which could be either a local (on the machine itself, such as a self-signed certificate), internal (on the
domain, such as an enterprise certification authority) or external certification authority (third party, such as
Verisign or Thawte).
For an Active Directory domain with an enterprise root certification authority, the enterprise root certification
authority infrastructure is trusted by all machines that are a member of the Active Directory domain, and
therefore any certificates issued by this certification authority are automatically trusted.
In the case of code signing, it may be necessary also for the issued certificate to be in the “Trusted
Publishers” store of the local machine in order to avoid any prompts upon executing code, even if the
certificate was issued by a trusted certification authority. Therefore, it is required to ensure that certificates
are added to this store where user interaction is unavailable, such as running automated processes that
call signed code.
A certificate can be assigned to a user or a computer, which will then be the “publisher” of the code in
question. Generally, this should be the user, and the user will then become the trusted publisher. As an
example, members of the development team in your organisation will probably each have their own code
signing certificate, which would all be added to the “Trusted Publishers” store on the domain machines.
Alternatively, a special domain account might exist specifically for signing code, although one of the
advantages of code signing is to be able to determine the person who signed it.
0 件のコメント:
コメントを投稿